An Open Letter to Security Vendors
By John J. Masserini
So tell me - did you hear the news?? Apparently the rumors are indeed true.
2015 is the year of the Security Startup.
And in the words of the greatest British comedy troupe ever… and there was much rejoicing …
However, after meeting with dozens of startups at Black Hat a few weeks ago, I've realized that the vast majority of the leaders of these new companies struggle to articulate the value their solutions bring to the enterprise.
As many of us have, I have seen many new technologies in the security space that promise to ‘solve all of my problems’ or ‘revolutionize the space.’
Sadly, most of them have gone the way of the Betamax – superior technology that suffered from poor implementation.
I am fairly often asked a basic question by many vendors: “As a CISO, what does it take for a startup to get your attention?” While it seems like an innocent question, the complexities of the answer typically result in glassed-over eyes, fidgeting, and even the occasional ‘hey, let me introduce you to…’ blow-off. Rarely will there be a person who wants to hear the real answer.
Most successful security executives know that effective programs are more than just a suite of tools, but rather the integration of people, technology, process and education. None of these can be substituted for the other, but they can enhance and augment one another to provide a greater good.
Tools allow my team to be efficient, expedient and productive. Much to the chagrin of most vendors, tools are not, and will never be, my silver bullets. By themselves, tools do not a security program make, but each can be a solid piece of technology that is implemented in such a way to allow my team to the best use of their skillset.
So, in a slight change of pace, the next few columns are going to be an ongoing open letter to vendors of all shapes and sizes, but particularly to startups. The goal is not to be a soapbox, but rather be that cold-bucket-of-water-to-the-face to the CEO/CTO/Product Manager of all of the vendors in the space.
So to all those sales, marketing and start-up types that truly want to know how to get our attention, read on…
An Open Letter to Security Vendors – Part 1
What better place to start then with what is typically a CISO’s first introduction to a solution – the sales & marketing teams. On an average day, I get hundreds of emails, many of which are business related. However, an inordinate number of them are sales and marketing materials.
While I’m sure your solution is great and the technology is revolutionary, in no way, shape or form do you have my ‘silver bullet.’ Your solution will not ‘make me sleep better,’ ‘reduce the overall risk to my infrastructure,’ or ‘give me granular insight into my threats’ – and do you know why? It is because you don’t know what my concerns are. You don’t live in my world or understand what my challenges are and presuming that you do is the first step to the Betamax graveyard.
Also, stop trying to scare me into a purchase. Yes, I have read the recent (insert vendor name here)
So, to those CEOs/CTOs/Marketing Execs and sales folk, I say this with all sincerity and honesty…
Mad Libs© are your friend.
I was recently discussing how many startups have a ‘Lack of Message’ problem with a friend, who happens to be one of the few sales executives in the industry I trust. She just laughed and said, ‘They’ve forgotten what Mad Libs are.’
It was an epiphany.
Do you remember Mad Libs? The silly little books of unfinished stories you had as a kid that invited you to input missing keywords with pronouns, verbs, or adjectives? That's what's missing from most of today's interactions between companies and CISOs.
We don't want your life story, or to hear about your decades of experience running companies, or the brilliance of your algorithms - we want to hear about how you're going to address a problem we have. If you do solve one of our pain points, we will want to hear the rest of the story. But your CEO’s 30-year tenure of running a Fortune-1000 company doesn’t matter to me if your solution doesn’t meet my needs to begin with. Tell me how you will help - then the rest will come.
I can't tell you the number of vendors I met at Black Hat that lost my interest in the first five minutes, only because they felt the CEO's credentials meant more than the solutions functionality. Are their solutions promising? Perhaps - but since you spent all of your time telling me be about your angels and executive team, I’ll never know. If you had made those first precious 15 seconds more valuable for me, at least I’d know what you do.
So, here's a little InfoSec Mad Lib to get you started. Try it out and see if it will work for you.
Hi, my name is _____ and I am the _____ of _____. Our company’s goal is to help you _____ by providing _____ that will _____. If you are dealing with _____ in your environment, we would love to demo our _____ solution and see if there is a fit.
Here's a real-world example:
Hi, my name is John Smith and I am the CEO of TrustMe. Our company's goal is to help you gain control over privileged users by providing a secure proxy that will manage, log, and report on all Admin and Root access. If you are dealing with uncontrolled administrator credentials in your environment, we would love to demo our SecureAdmin solution and see if there is a fit.
There you go. Three sentences and 15 seconds that will hook the vast majority of security executives into at least giving you a direction. Perhaps they are dealing with it and want to hear more. Perhaps they have already addressed the issue and aren't interested. Either way, you'll know your next steps, less time is wasted, and after all, isn't that what we both want?
More to come in Part II… Stay Tuned.